<br><font size=2 face="sans-serif">Agree for OpenID 2.0.</font>
<br>
<br><font size=2 face="sans-serif">What about OpenID 1.1 backwards-compatibility,
which doesn't have the claimed_id concept?</font>
<br>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Dan Ragle <dragle@jupitermedia.com></b>
</font>
<br><font size=1 face="sans-serif">Sent by: general-bounces@openid.net</font>
<p><font size=1 face="sans-serif">19/07/2008 12:01 AM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">general@openid.net</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: [OpenID] linking an openid to an
existing account</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><tt><font size=2>P.S. - per section 11.5 of the OpenID specs:<br>
<br>
"The Claimed Identifier in a successful<br>
authentication response SHOULD be used<br>
by the Relying Party as a key for local<br>
storage of information about the user.<br>
The Claimed Identifier MAY be used as a<br>
user-visible Identifier. When displaying<br>
URL Identifiers, the fragment MAY be<br>
omitted."<br>
<br>
Cheers!<br>
<br>
Dan<br>
<br>
> I have a question about best-practices. <br>
> <br>
> Consider a website with an existing user base. You want to provide
the <br>
> users an alternate means of authentication with an OpenID (e.g. replacing
<br>
> existing password-based authentication), so you show them a page (after
<br>
> they've authenticated) which says "Link an OpenID to your account".
<br>
> <br>
> The user authenticates with an OpenID, and the site associates <something>
<br>
> with the user's existing account so that in the future OpenID <br>
> authentication can happen as the primary login and the same <something>
<br>
> can be used to figure out which user account to login as.<br>
> <br>
> My question is what is the best thing to use as <something>.
There are <br>
> options, most with certain limitations, and I wanted to see if the
<br>
> community has a general pattern or recommendation.<br>
> <br>
> For example, the <something> could be (non-exhaustive):<br>
> <br>
> 1. The "as-typed-in-by-the-user" user-supplied identifier.
This has <br>
> limitations that a user can have multiple user-supplied identifiers
that <br>
> normalize to the same id, and they can confuse themselves (e.g. <br>
> shane.myopenid.com = http://shane.myopenid.com). This doesn't work
well <br>
> with OP identifiers.<br>
> <br>
> 2. The claimed identifier after discovery. This doesn't play well
with <br>
> delegation if a user switches OP's but keeps their user-supplied <br>
> identifier.<br>
> <br>
> 3. Some other combination?<br>
> <br>
> Your thoughts appreciated.<br>
> <br>
> <br>
> <br>
> ------------------------------------------------------------------------<br>
> <br>
> _______________________________________________<br>
> general mailing list<br>
> general@openid.net<br>
> http://openid.net/mailman/listinfo/general<br>
_______________________________________________<br>
general mailing list<br>
general@openid.net<br>
http://openid.net/mailman/listinfo/general<br>
</font></tt>
<br>